Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Renew CA #936

Open
TinCanTech opened this issue Apr 12, 2023 · 7 comments · Fixed by #1217, #1219 or #1220
Open

Renew CA #936

TinCanTech opened this issue Apr 12, 2023 · 7 comments · Fixed by #1217, #1219 or #1220
Labels
discussion documentation renew I cannot go back; No. But if you could, would you really want to? Sticky Remain open

Comments

@TinCanTech
Copy link
Collaborator

TinCanTech commented Apr 12, 2023

You want to renew your CA and your OpenVPN keeps on working.

This is not possible.

All of your clients require the renewed CA certificate.

The renewed CA certificate MUST be forwarded to your clients, there is no alternative.

Source: #379 (comment)

Linked-to: #609 (comment)


Even after considering this absolute fact, EasyRSA has the option to offer a minor, secure shortcut.


The question:

  • Is renewing a CA any different to building a new CA ?

Can EasyRSA make renewing your old CA easy and Secure ?

Maybe ...


@aduzsardi
Copy link

aduzsardi commented Sep 15, 2023

afaik the openvpn ca file/option can take more than one CAs , if this is the case ... one solution for expiring CA would be to not issue new client/server certificates once is about to expire and the new issued leaf certificate would exceed the life span of the CA

at that ponint , just create a new CA and carry on

@TinCanTech
Copy link
Collaborator Author

This is authoritative information, provided by David Sommerseth, OpenVPN Inc:
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07265.html

@TinCanTech TinCanTech pinned this issue Jan 10, 2024
@TinCanTech TinCanTech unpinned this issue Jan 24, 2024
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 25, 2024

Because renewing a CA is more complicated than building a new CA, Easy-RSA does not renew the CA.

The recommended procedure is to use:

easyrsa --days="$hasta_la_vista" build-ca

Where $hasta_la_vista is the expected lifetime of your CA.

But I must draw your attention to: #941

@aduzsardi
Copy link

Thanks for the updates @TinCanTech

I just want to reiterate that my solution works as expected, tested a couple of weeks ago
When your original CA is about to expire , just don't issue any new client/server certificates with it and build a new one.

Add the new CA certificate in the list of <ca></ca> of the VPN server so that the server can authenticate client certificates issued by the new CA.
Unless you also replace the server certificate to use the new CA , you should include the OLD CA in your clients <ca></ca> list

This way both old and new clients can authenticate until all the old certificates expire and the OLD CA is decommissioned

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jan 25, 2024

@aduzsardi Your approach is acceptable, I shall take another look at this. Thank you for your persistence ;-)

@TinCanTech TinCanTech added the renew I cannot go back; No. But if you could, would you really want to? label Jul 11, 2024
@TinCanTech TinCanTech reopened this Aug 19, 2024
@TinCanTech TinCanTech reopened this Sep 3, 2024
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Nov 2, 2024

EasyRSA v3.2, simple renewal of an expired CA certificate:

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Nov 10, 2024

For command init-pki soft, it has been recommended by OpenVPN developers that keeping the old CA key is more useful than creating a new CA key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment